问题
I have tasks that are placed onto a background queue for async processing. The standalone queue worker needs to authenticate to a separate API using IdentityServer 4, essentially "impersonating" the original user that triggered the task.
The two options I can see for doing this are:
- Push the access and refresh tokens of the user into the queue's payload, and use these to authenticate when the task is picked up and executed. The main issue with this is that the queue's payload is stored in a database for an extended period of time, even after execution, meaning access and refresh tokens will be stored.
- Try and recreate this type of user impersonation in IdentityServer 4, https://www.moonlightbytes.com/blog/impersonation-in-identity-server-3. This would mean saving the original user's username in the queue's payload.
My questions are:
- Which one of these two options is preferable and more secure?
- Is there any other way to achieve what I need?
回答1:
I would suggest to use delegation, i.e. to push the access token (only) into the queue's payload (to identify the user later on) and use your worker's ClientCredentials to authenticate at the moment of the call.
Refresh token is definitely not to be shared. It is a property of an app it was requested for.
来源:https://stackoverflow.com/questions/58076186/whats-the-most-secure-way-to-authenticate-background-queue-workers-using-identi